AACS: Slow Start on Traitor Tracing

Alex wrote on Thursday about the next step in the breakdown of AACS, the encryption scheme used on next-gen DVD discs (HD-DVD and Blu-ray): last week a person named Arnezami discovered and published a processing key that apparently can be used to decrypt all existing discs.

We’ve been discussing AACS encryption, on and off, for several weeks now. To review the state of play: the encryption scheme serves two purposes: key distribution and traitor tracing. Key distribution ensures that every player device, except devices that have been blacklisted, can decrypt a disc. Traitor tracing helps the authorities track down which player has been compromised, if key information is leaked. The AACS authorities encode the header information for each disc in such a way that keys are distributed properly and traitor tracing can occur.

Or that’s the theory, at least. In practice, the authorities are making very little use of the traitor tracing facilities. We’re not sure why this is. They surely have an interest in tracing traitors, and failing to encode discs to facilitate traitor tracing is just a lost opportunity.

The main traitor tracing feature is the so-called sequence key mechanism. This mechanism is not used at all on any of the discs we have seen, nor have we seen any reports of its use.

A secondary traitor tracing feature involves the use of processing keys. Each player device has a unique set of a few hundred device keys, from which it can calculate a few billion different processing keys. Each processing key is computable by only a fraction of the players in the world. Each disc’s headers include a list of the processing keys that can decrypt the disc; any one of the listed processing keys is sufficient to decrypt the disc.

For some reason, all existing discs seem to list the same set of 512 processing keys. Each player will be able to compute exactly one of these processing keys. So when Arnezami leaked a processing key, the authorities could deduce that he must have extracted it from a player that knew that particular processing key. In other words, it narrowed down the identity of his player to about 0.2% of all possible players.

Because all existing discs use the same set of processing keys, the processing key leaked by Arnezami can decrypt any existing disc. Had the authorities used different sets of processing keys on different discs – which was perfectly feasible – then a single processing key would not have unlocked so many discs. Arnezami would have had to extract and publish many processing keys, which would have made his job more difficult, and would have further narrowed down which player he had.

The ability to use different processing key sets on different discs is part of the AACS traitor tracing facility. In failing to do this, the authorities once again failed to use the traitor tracing mechanisms at their disposal.

Why aren’t the authorities working as hard as they can to traitor-trace compromised players? Sure, the sequence key and processing key mechanisms are a bit complex, but if the authorities weren’t going to use these mechanisms, then why would they have gone to the difficulty and expense of designing them and requiring all players to implement them? It’s a mystery to us.

Perhaps AACS is not that important for protecting content. I’ve long felt that the value and convenience of movies on DVD is in line with their retail price.

Perhaps the entire AACS mechanism is less about protecting content than it is about protecting the regional windowed release system. This is still important, because for many movies, it seems that international release is still ongoing when it comes time for DVD releases in the North American market. Diverting discs to the overseas grey market that hasn’t seen the movie yet would be far easier and far more lucrative.

Having let experts design AACS (and design being a sunk cost) they can then run it using only enough features to match their goals.

One is reminded of missle launch locks in the U.S. having their codes set to ‘00000000’ for many years because the interests of the system users were different than the system designers.

We also have to remember that we’re thinking of what could be done by rational people, without any regard for corporate bloat, mismanagement, or incompetence. It’s entirely possible that even though the technology allows for traitor-tracking, the people responsible for doing it either aren’t available or aren’t actually capable.

I’m a bit confused why they would want to start traitor tracing. As soon as the authorities play their hand and start blacklisting keys it officially becomes war. At that point all (for certain values of all) it takes is for someone to get the keys out of the two or three most popular DVD players and wait.

Will the authorities DOS themselves? The option is to allow the pirates to carry on as they are, or piss off all those people that paid good money for top of the range DVD players… which they would render useless. That’s why they won’t start blacklisting: they would paint themselves into a corner.

I found an article on AACS yesterday. They use a modified subset difference tree that only populates subtrees up to depth 22. This requires 22*23/2 or 253 device keys per player. The full tree is of depth 31 so there are 2^(31-22) or 512 independent subtrees, as you mention. Within each one of these subtrees, one leaf node is reserved and not assigned, and that is the one used as the processing key when no devices in that subtree have yet been revoked.

AFAIK all the work on this processing key so far has been on one brand of software player, and my guess is that all instances of a given brand of player will use the same device keys. So at this point we are probably in just one subtree, and we are using the processing key of that one reserved node.

However there are potentially many ways to use the subset-difference structure to exclude the one reserved node. The node itself has 22 different processing keys associated with it, one for each subtree depth up to 22. I’m not sure if they can avoid using at least one of these 22 processing keys in the encryption. I need to look at the paper, which I believe is http://eprint.iacr.org/2001/059 .

As regards what Steph says – it depends on what you mean by “feature”. That could imply “attribute” or it could imply “intended purpose”. I reckon that Ed meant the former.

I am sure that perusing hackers forums is not a design feature of the AACS specification, but at the moment, that is probably the easiest, and possibly the only way that the AACS LA can do any traitor tracing.

I listened to some of the coverage on Security Now about AACS, and politically it does seem unlikely that a player might get their keys revoked.

Even with the ability too, the consumers would revolt against the manufacturer and likely the AACS system itself with enough tough media scrutiny.

The ‘authorities’ probably know this and are sticking this facility up as a bit of a straw man, and not fully implementing the revocation ability. There might even be a most secret, secret, secret part of the spec where portions of AACS might not be used in actual implementations, making things a bit easier for implementors.

It is true in many application domains that initial requirements for ranges or particular features are substantially in excess of what portion of those features are actually going to be used. Sometimes, and I suspect even often, this goes hand in hand with the most important features being underspecified or plainly forgotten.

Usually that’s because the entities driving the design have their own, well, “unique” perspective, and often have grandiose ideas of how the system is going to be used which is either not what is needed, or which exceeds what actual user organizations or their business processes can handle in practice.

Let’s not forget how poorly Sony (or some particular “genius” in Sony’s employ) seemed to understand the implications inherent in using rootkit DRM. Whatever business entity (which employs “very smart” people) is responsible for deciding to use the several various key complexities built into the AACS specification for content encryption could easily make a blunder that would unintentionally alienate the consumer (by, as others have pointed out, disabling popular players). I eagerly await the expensive fallout.

The initial “mistake” here is that the AACS organisation allowed software players on Windows in the first place. But, it is so patently obvious that the device keys can not be kept secure in a software player that this was certainly not a mistake but a well calculated move.

My guess is that due to all the delays that have been starting with standard squabbles and then followed up by delays in getting standalone players to market they simply choose to bite the bullet and allow software players to jumpstart things.

Since the software players arn’t secure there is no point in spending time and money on traitor tracing and other mastering tricks, everyone already knows where the keys come from, WinDVD and PowerDVD.

When there are plenty of standalone players to choose from at reasonable prices and TCP and Palladium is in every PC expect to see the current software players to be yanked and traitor tracing go into full swing.

Since I am accused of trolling, here is my reasoning why the serie of articles about AACS is misleading and unfortunately spreading false information ( no preview button, I hope it will be readable):

AACS Decryption Code Released
—————————–

The article said that keys had been released (before correction). This was obviously wrong and just sloppy reporting of random internet rumors. The article then says that device keys are specific to a device ID. Most device keys are not specific to a device, this can readily be seen from the tree structure of the subset difference algorithm.

AACS: Extracting and Using Keys
——————————-

Article says “Title keys will, however, be enough to enable in-home fair use”. & “This leads to an interesting strategic game between the engineer and the central authority, which weâ€™ll explore in the next post.”
This shows that Ed has at this point no knowledge of the traitor tracing scheme of AACS (sequence keys).
When I mention sequence keys in a comment, Ed replies: “Of course I have read the AACS specifications. […] Can you explain why you think the sequence key mechanism changes the basic analysis here?”
Proof that Ed has no idea about the traitor tracing scheme of AACS and what they mean in the big picture.

AACS: Blacklisting, Oracles, and Traitor Tracing
————————————————

Explanation of the blacklisting scheme is correct. However all the following theory on how to avoid blacklisting and about oracle shows that the author has still no knowledge at all of sequence keys. Indeed, all this BL avoidance theory makes absolutely no sense when you know that this was already taken into account by the AACS developers and is totally countered by the sequences keys scheme.
The part about decryption oracles makes no sense. If you understand AACS, you will see that decryption oracles will never be an useful option for hackers. (Mainly because the sequence key mechanism renders oracle useless).
The article makes even less sense when it claims “The central authority creates a phony disc header that can be decrypted by about half of the possible devices” Meaning that the subset difference mechanism will be used as a traitor tracing scheme. It makes no sense because 1. the subset difference mechanism is a key revocation mechanism not a TT mechanism. 2. The central authority will use the sequence keys to trace traitors, which was designed to this effect.

AACS: Game Theory of Blacklisting
———————————

I don’t have much to say about this one apart that Ed has visibly no knowledge either of the pirate scene or of the content providers’ point of view.
Basically the actors don’t act rationnaly like the article claims. Content providers mostly act upon their political agenda and most pirates are driven by ego (overly simplified). This breaks the game theory model presented in the article.

AACS: Title Keys Start Leaking
——————————

Same game theory nonsense. “Holywood” is probably not thinking of which “window” they want to give hackers. I think that what is happening right now is lawyers starting the “security breach process” as probably present in the contract between AACSLA, content providers and Cyberlink & co to find out each actor’s responsability and next steps.

AACS: Sequence Keys and Tracing
——————————-

Ed finally got time to learn about the sequence keys. However, he still claims he left out sequence keys on purpose: “Throughout our AACS discussion, we have done our best to simplify things so readers could follow our logic without having to digest the entire technical specification”. But I already showed that the other articles don’t make sense if you have any knowledge of the sequence key mechanism.

AACS: Modeling the Battle
————————-

Like several have already said in the comments for this article, this is again nonsense based on false assumptions that the content creators are rational actors.

AACS: A Tale of Three Keys
————————–

Mentions the research done by Arnezami. What evdberg, one of the hackers on doom9 author of the AACS VUK validator , thinks of this article: “Unfortunately this guy is plain wrong in what he writes about the processing key … sigh … he should have read this thread more carefully …”
So another guys that knows his stuff about AACS thinks that Ed is full of it.

Long and unconvincing. Essentially, your argument is, “The sequence key mechanism is part of the spec, even though nobody has implemented it yet. Therefore, Ed Felten is wrong.” Will sequence keys complicate matters if the facility ever gets used? Sure. But it doesn’t make Ed’s previous articles incorrect for what we’re dealing with today.

It does make Ed incorrect because you can directly see that his predictions about the AACS future are wrong if you read the spec. In fact, they already wrong on most accounts. Did you see any AACS online oracle lately?

sadsac:

For the article “AACS: Blacklisting, Oracles, and Traitor Tracing” I correctly mention “the author” instead of Ed. For the next one I admit that I made a mistake. Sorry.

By the way, accusing my argument to be wrong on a small naming mistake instead of debating the points I made is a “strawman fallacy”.

Steph, actually it’s not strawman since I didn’t state or imply that your argument was wrong (in terms of it’s merits relative to AACS), but rather that your personal insults were perhaps directed towards the wrong person.

Your emotively charged statments such as â€˜bullshit as usualâ€™, â€˜Felten has no idea what he is talking about as usualâ€™, and ‘Ed is full of it’ are arguments against the person (Ed), and not about the subject matter.

In the past, others here have posted comments about errors in the articles, usually in a pleasant manner with the interest of improving accuracy.

Your arguments are mean spirited and seem to be at least partly focused on attacking Ed. What resolution do you seek from such attacks? Are you suggesting that Ed should stop writing about AACS, or that all readers interested in AACS should read about it only on the doom9 forums?

I agree with Steph in that this is not an intelligent game of chess; this is about an industry manned by your typical average marketing blokes and lawyer types and greedy executives and some such, trying to survive in a time when they are no longer needed, by forcefully injecting themselves into relevance, in the form of this overly architectured protection scheme. The more they try, the more they bury themselves.

They know that all this DRM only hurts the people actually buying their products, i.e., their clients, because they’re the only ones that are affected if the scheme fails, i.e., a legally bought movie doesn’t play in a legally bought player. And it’s because they know this that there won’t be any revocations issued anytime soon, if ever. Because while alienating one user because their CD won’t play is one thing, alienating entire swarms of legitimate users by revoking a player is quite a different one.

And they know they’re surviving by a thread that’s called “public momentum” – while there is none, they are ok, but once you get enough of your average joe crying out blood because he can’t see his movie, it’s bye-bye time.

Since we’re still talking about your average greedy executive and your average seedy marketing type, and you’re talking about a rather set-in-the-old-ways averse-to-change and rather corrupt and greedy industry that is the entertainment industry, they’re all trying to convince each other that, really, they can do this, these schemes work, yes, yes – but it’s a nice faÃ§ade, and they really don’t want to take the next step.

There’s no smartness and cunning involved in this game, on either side. Crackers do it for fun, kicks and ego, the entertainment industry does it because it’s been doing it for far too long to know otherwise. The crackers will win because fun is so much better as an incentive, the entertainment industry will lose because it only takes someone sufficientely high up to change it’s ways for everything to topple down like the house of cards it is.

I felt that your post was implying that I was wrong. I it is not the case, it is indeed not a strawman.

I 100% agree that my statments “are emotively charged”. Sorry, I don’t come from the culture of politically correct USA.

However, I deny your allegations that I use “ad hominem”. I would if I said “Ed is wrong because he is gay/black/right wing/old…”. But I didn’t attack Ed’s person of beliefs, I just say that the quality of his articles is low due to sloppy reporting (with stronger wording). This is not “ad hominem”.

> What resolution do you seek from such attacks?

I hope that the people who are writing “if you want to know all about AACS check Ed’s great articles” come to see that said articles will not enlighten them at all about AACS to the contrary.

> Are you suggesting that Ed should stop writing about AACS, or that all readers interested in AACS should read about it only on the doom9 forums?

I suggest that Ed and friends:

1. Really study the subject before writing an article.
2. Admit when they are wrong.
3. Don’t post as an authority on subjects they don’t understand clearly.

The explanation for why they are not using all of the features of AACS is simple: production/mastering process/software is immature, and they have not hashed out the organizational specifics of how everything’s going to work from a process point of view.

At this point, shipped HD content is mostly cannon fodder demo material. Alot of it is old shovelware too.

Why aren’t most BD disks using H264/AVC? Why is there a lack of sophisticated BDJ disk content? HDDVD and BRD producers have had a hard enough time struggling to get the market, increasing disk yields, master disks with high quality encodings, etc.

I think with respect to AACS, they are utilizing the minimum and safest features right now to get disks to market early, and that leveraging fullblown TT features will require significantly more work on the authority side, both from a technical point of view, as well as from an investigatory/personnel point of view, namely, even if they could trace culprits, they have probably not fully hashed out the process of dealing with it yet.

I bet not many disks will feature revocations either, not because they don’t want to use AACS features for preventing hacked keys from being used, but because they are probably still prototyping/testing the whole pipeline from TT key generation, to publishing, to detection, to revocation/legal pursuit, etc. Think about it. Who is responsible for doing TT, who calls whom, and what actions are taken after discovery? It’s not a simple process.

Too often these mathematical discussions of protocols ignore the organizational issues with implementing complex software and putting complex processes in place. It’s as if, once there’s a specification, one assumes the implementation and internal bureaucratic processes are perfected and fine tuned as well.

If someone wants a detailed technical explanation of aacs, then they should go to the aacs la site and read all the documentation.

I think that the blog here is quite clear.

The sequence key system was designed to faciltate traitor tracing – but it has not been implemented.

The way in which processing keys are set up is not a traitor tracing system per se. But it can be used for that purpose. By setting it up as they did thus far, not only could it not be used for that purpose, but they made exploiting a compromised key far more useful than needed to be.

I don’t get why such a huge mystery is made out of the fact that sequence keys weren’t yet implemented. Even if the mechanism could already have been implemented (and several people here have made credible claims that AACS LA just might not have been up to it with the first wave of releases, technologically and/or organisationally), what would it have gained them? It was clear as daylight that one of the software players would be first to be compromised; there are only two of those; and all the details are up on doom9.org for everyone to read. Traitor tracing, what for? Of course, later releases might well be a different story entirely.

As for “they made exploiting a compromised key far more useful than needed to be”, I’m not so sure that’s true. The spec suggests that all MKBs will be linearly versioned, and that a new version will be released only when e.g. a player is to be revoked. From reading the spec, I don’t get the impression that they plan to release different versions of the MKB for every title. (Identical MKBs mean that the same processing key will work.) Of course they might change that policy if processing keys remain as vulnerable as they are, but for the first batch of releases I think it was planned that way.

There are still some questions which I haven’t seen answers to from people familiar with AACS.

Is it expected and required that different discs will have different Media Key Blocks? Or is it expected that at a given time, pretty much all discs will have the same MKB?

This blog entry expresses surprise that all discs use the same MKB. It is phrased as surprise that all discs use the same processing key, but that follows from the fact that they all use the same MKB.

Why the surprise? That gets back to my question. Did people think that every title would have a unique MKB? From my reading of the papers, that was not anticipated by the designers of the subset difference encoding. They provide only a single algorithm to go from the set of revoked players (at this point, none) to the “cover” for the tree, which leads immediately to the MKB. Now, variants on this algorithm are clearly possible, but the authors don’t discuss it. It looks to me like they thought it was perfectly reasonable that, at any given time, all discs would have the same MKB.

So what exactly is or was the AACS plan regarding this issue? How did or do they expect to respond when a processing key is published from the MKB being used apparently by all discs at a given time? I’d like to see some informed commentary on this issue.

I don’t think that they expected or planned to vary the MKB’s in that way in order to slow down the effect of any processing keys compromises. I think the point is that there are a number of things that could have been done to make it more awkward to glean the necessary information to copy large numbers of titles, but were not done.

I think there is probably an underlying dilemma. I imagine that unless movies released on a new disk format are playable on pc’s, that demand would not justify getting involved to start with. Yet, the pc platform appears to be inherantly insecure in terms of trying to enforce this type of drm.

It is now being said on some forums that some of the ways that these keys are being grabbed whilst the players are actually playing the disk, are not contingencies that the software purveyors were required to cater for. Which might be why the authors of the players are denying that they have fallen short of what they were asked to do. In fact, that begs the question whther it is possible to keep these keys secure at all.

I wonder if the progenitors of the aacs system anticipated people being able to grab keys whilst playing the disk in these ways.

The problem is that software player keys are easy to change because they can simply require all software player owners to update. The ideal move would be to break the AACS in one of the more widely used non-software HD-DVD players, since then a recall would have to be issued in order to blacklist that particular processing key.

Arnezami had a solid method for extracting the processing key, but I assume that newer players will be more careful about allowing their keys in the memory long enough to be read. Essentially, the game just got harder.

According to current discussions on certain forums. “new” hd disks are starting to circulate which are post revocation. It appears that (a) the sequence key system still has not been utilised on these disks, and (b) there has been no attempt to address the x-box hack.

Also, there is speculation that the x-box hack is of such a nature that exploitable hardware cannot be “upgraded” by revocation and updates, and that it would have to be revoked and replaced, or hardware compnents replaced by a tecnician in each affected machine. There is also some speculation that a similar dilemma faces trying to close the so called bios-hack for Vista, and a cynic would possibly see a common factor there.

Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you'll find comment and analysis from the digital frontier, written by the Center's faculty, students, and friends.